Bill Would Give ID Theft Victims More Weapons

A bill that includes anti-cybercrime provisions proposed by Senator Patrick Leahy (D-Vt.) is awaiting the President Bush's signature after it passed the U.S. House of Representatives earlier this week.

The provisions in the bill would make it easier for federal agencies to pursue cyber criminals, and increase the penalties for convictions of many cyber-crimes.

Give victims of identity theft the ability to seek restitution for the loss of time and money spent restoring credit and remedying the harms of identity theft;

Enable prosecution of those who steal personal information from a computer even when the victims computer is located in the same state as the thiefs computer. Under current law, federal courts only have jurisdiction if the thief uses an interstate communication to access the victims computer.

Make it a felony to employ spyware or keyloggers to damage ten or more computers regardless of the aggregate amount of damage caused, ensuring that the most egregious identity thieves will not escape with a minimal, or no, sentence.

Makes it a crime to threaten to steal or release information from a computer. Current law only permits the prosecution of those who seek to extort companies or government agencies by explicitly threatening to shut down or damage a computer. Violators of this provision are subject to a criminal fine and up to five years in prison.

Add the remedies of civil and criminal forfeiture to the arsenal of tools available to federal prosecutors to combat cyber crime, and mandate that the U.S. Sentencing Commission review and update its guidelines for identity theft and other cyber crime offenses.

Data breaches continue to hit the headlines. Only this week, news surfaced that about 75,000 accounts with sensitive information is at risk after a Walnut Creek, Calif. human resources outsourcing company was robbed over the Memorial Day weekend.

"In general, these provisions encompass a much wider and broader scope of potential criminal conduct that can be prosecuted as cyber crime, giving a lot of discretion to prosecutors on what tools they want to employ and how they want to use those tools when charging criminal defendants," Scott Christie, a partner in Newark, N.J. law firm McCarter & English, told Internetnews.com. Christie was formerly a federal prosecutor specializing in cybercrime.

Gordon Rapkin, CEO of enterprise data security management firm Protegrity, applauded the anti-cybercrime provisions. "This piece of legislation is aimed at the bad guy, and I like seeing legislation that does that," he said. "It's very clear now that, under Federal law, they can be made to pay for what they did."

If the bill is signed into law, federal prosecutors will be able to file charges against hackers even if they attack victims within the same state, where previously only hackers who struck across state lines or national borders were liable for prosecution in federal court.

"This is one of the more important changes, because now it doesn't appear that there needs to be remote access to a computer system at all," the lawyer, Christie, said. "It could apply to my walking into my company and gaining unauthorized access to information from a colleague's computer," he added.

As such, this amendment "seems that it would greatly expand the scope of criminal activities that could be prosecuted," Christie said.

Hackers who use spyware will be in for big trouble. First, Senator Leahy's provisions change the way damage to computers is calculated. Previously, a federal prosecution could only be launched if damage to a victim's computer exceeded $5,000 or resulted in damage to a government or military computer, or constituted a threat to public health or safety.

The proposed legislation will waive the $5,000 minimum for criminal prosecutions. And, if the hacker uses spyware or keyloggers to affect 10 or more computers during a one-year period, Senator Leahy's provisions will let them be federally prosecuted no matter how little or how much damage they caused. The provisions will also increase the penalties for hacking.

Christie takes issue with the wording of the provision. "What does it mean, affect 10 or more computers? " he asked. "It certainly gives prosecutors a lot of opportunity to prosecute low dollar-value computer crime by creatively crafting arguments showing that 10 or more computers were affected somehow," he said.

As for penalties, they will become much more severe. "Crimes which drew five years in prison now draw 10 years," Christie said. "More interestingly, for intentional hacking cases, if they cause serious bodily injury the statutory penalty will be 20 years, and if they cause death the statutory penalty will be life imprisonment," he added. These are the maximum sentences, Christie pointed out, not mandatory sentences.

More crimes

Senator Leahy's provisions will also make cyber extortion a crime and make it a federally prosecutable crime to threaten to obtain or release information from a protected computer. They also make it federally prosecutable to demand money in relation to a protected computer.

"Now, the law will be broadened to cover not only a threat to cause damage but also a threat to obtain information," Christie said. "Previously, you had to use a computer to transmit a message to extort money to be liable for federal prosecution; now, you don't have to transmit a message from a computer to be held liable."

Finally, the provisions will allow for cyber crime conspiracies. "You don't have to commit the crime, you just have to agree with someone else to do it," Christie said, adding that this gives a lot of clout to prosecutors as to how they want to charge offenders.